=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/crypto.html,v retrieving revision 1.86 retrieving revision 1.87 diff -c -r1.86 -r1.87 *** www/crypto.html 2001/06/26 11:46:14 1.86 --- www/crypto.html 2001/06/27 11:51:21 1.87 *************** *** 79,89 ****

! OpenBSD was the first operating system to ship with an IPSEC stack. ! We've been including IPSEC since early OpenBSD 2.1 release in 1997. ! Our fully conformant in-kernel IPSEC stack, with hardware acceleration based on a number of cards, and our own free ISAKMP daemon, is used as ! one of the machines in the IPSEC conformance testbed run by VPNC.

--- 79,89 ---- ! OpenBSD was the first operating system to ship with an IPsec stack. ! We've been including IPsec since early OpenBSD 2.1 release in 1997. ! Our fully conformant in-kernel IPsec stack, with hardware acceleration based on a number of cards, and our own free ISAKMP daemon, is used as ! one of the machines in the IPsec conformance testbed run by VPNC.

*************** *** 189,195 ****

Stronger temporary names for mktemp(3) and mkstemp(3)

Randomness added to the TCP ISS value for protection against spoofing attacks. !

random padding in IPSEC esp_old packets.

To generate salts for the various password algorithms.

For generating fake S/Key challenges.

In photurisd --- 189,195 ----

Stronger temporary names for mktemp(3) and mkstemp(3)

Randomness added to the TCP ISS value for protection against spoofing attacks. !

random padding in IPsec esp_old packets.

To generate salts for the various password algorithms.

For generating fake S/Key challenges.

In photurisd *************** *** 216,222 ****

In S/Key to provide one time passwords. !
In IPSEC, photurisd and isakmpd(8) --- 216,222 ----
- In S/Key to provide one time passwords. !
- In IPsec, photurisd and isakmpd(8) *************** *** 248,254 **** passwords. See also the USENIX paper on this topic.
- In ! IPSEC to provide confidentiality for the network layer.
- In Kerberos and a handful of kerberized applications, like telnet, --- 248,254 ---- passwords. See also the USENIX paper on this topic.
- In ! IPsec to provide confidentiality for the network layer.
- In Kerberos and a handful of kerberized applications, like telnet, *************** *** 260,266 ****
- In photurisd and isakmpd ! to protect the exchanges where IPSEC key material is negotiated.
- In AFS to protect the messages passing over the network, providing confidentiality of remote filesystem access.
- In libssl to let applications communicate over the de-facto standard --- 260,266 ----
- In photurisd and isakmpd ! to protect the exchanges where IPsec key material is negotiated.
- In AFS to protect the messages passing over the network, providing confidentiality of remote filesystem access.
- In libssl to let applications communicate over the de-facto standard *************** *** 274,282 **** OpenBSD, starting with 2.7, has begun supporting some cryptography hardware such as accelerators and random number generators.
  - IPSEC crypto dequeue
    ! Our IPSEC stack has been modified so that cryptographic functions get ! done out-of-line. Most simple software IPSEC stacks need to do cryptography when processing each packet. This results in synchronous performance. To use hardware properly and speedily one needs to separate these two components, as we have done. Actually, doing this gains some --- 274,282 ---- OpenBSD, starting with 2.7, has begun supporting some cryptography hardware such as accelerators and random number generators.
    - IPsec crypto dequeue
      ! Our IPsec stack has been modified so that cryptographic functions get ! done out-of-line. Most simple software IPsec stacks need to do cryptography when processing each packet. This results in synchronous performance. To use hardware properly and speedily one needs to separate these two components, as we have done. Actually, doing this gains some *************** *** 294,300 **** stable. We wrote our own driver for supporting this chip, rather than using the (USA-written) powercrypt driver, as well ! our driver links in properly to the IPSEC stack. The 7751 is now considered slow by industry standards and many vendors have faster chips (even HiFn now has a faster but more expensive chip). Peak performance with 3DES SHA1 ESP is around 63MBit/sec. --- 294,300 ---- stable. We wrote our own driver for supporting this chip, rather than using the (USA-written) powercrypt driver, as well ! our driver links in properly to the IPsec stack. The 7751 is now considered slow by industry standards and many vendors have faster chips (even HiFn now has a faster but more expensive chip). Peak performance with 3DES SHA1 ESP is around 63MBit/sec. *************** *** 357,366 **** has now been integrated once we were able to get a free license on the microcode. We have also received (all?) the information needed for supporting the cryptographic functions, which will require a little bit of ! IPSEC subsystem rearranging. Check back later..
      !
    - Intel IPSEC card
      Much like Intel does for all their networking division components, and completely unlike most other vendors, Intel steadfastly refuse to provide us with documentation. We have talked to about five technical people who --- 357,366 ---- has now been integrated once we were able to get a free license on the microcode. We have also received (all?) the information needed for supporting the cryptographic functions, which will require a little bit of ! IPsec subsystem rearranging. Check back later..
      !
    - Intel IPsec card
      Much like Intel does for all their networking division components, and completely unlike most other vendors, Intel steadfastly refuse to provide us with documentation. We have talked to about five technical people who *************** *** 376,382 ****
    - Intel 82802AB/82802AC Firmware Hub RNG
      The 82802 FWH chip (found on i810, i820, i840, i850, and i860 motherboards) ! contains a random number generator (RNG). High-performance IPSEC requires more random number entropy. As of April 10, 2000, we support the RNG. We will add support for other RNG's found on crypto chips.
      --- 376,382 ----
    - Intel 82802AB/82802AC Firmware Hub RNG
      The 82802 FWH chip (found on i810, i820, i840, i850, and i860 motherboards) ! contains a random number generator (RNG). High-performance IPsec requires more random number entropy. As of April 10, 2000, we support the RNG. We will add support for other RNG's found on crypto chips.
      *************** *** 447,453 **** www@openbsd.org
      ! $OpenBSD: crypto.html,v 1.86 2001/06/26 11:46:14 brad Exp $ --- 447,453 ---- www@openbsd.org
      ! $OpenBSD: crypto.html,v 1.87 2001/06/27 11:51:21 brad Exp $